CVE-2021-32933 - OpenCVE

An attacker could leverage an API to pass along a malicious file that could then manipulate the process creation command line in MDT AutoSave versions prior to v6.02.06 and run a command line argument. This could then be leveraged to run a malicious process.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Auvesy-mdt	Autosave Autosave For System Platform

Configuration 1 [-]

OR	cpe:2.3:a:auvesy-mdt:autosave::::::::
	cpe:2.3:a:auvesy-mdt:autosave::::::::
	cpe:2.3:a:auvesy-mdt:autosave_for_system_platform::::::::
	cpe:2.3:a:auvesy-mdt:autosave_for_system_platform:5.00:::::::*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-21-189-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-04-01T22:17:06

Updated: 2024-08-03T23:33:56.231Z

Reserved: 2021-05-13T00:00:00

Link: CVE-2021-32933

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-04-01T23:15:09.487

Modified: 2022-10-25T19:36:59.693

Link: CVE-2021-32933

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "MDT AutoSave", "vendor": "MDT Software", "versions": [{"lessThan": "6.02.06", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "MDT AutoSave", "vendor": "MDT Software", "versions": [{"lessThan": "7.04", "status": "affected", "version": "7.00", "versionType": "custom"}]}, {"product": "AutoSave for System Platform (A4SP)", "vendor": "MDT Software", "versions": [{"lessThan": "4.01", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "A4SP", "vendor": "MDT Software", "versions": [{"status": "affected", "version": "5.00"}]}], "credits": [{"lang": "en", "value": "Amir Preminger of Claroty Research reported these vulnerabilities to MDT Software."}], "descriptions": [{"lang": "en", "value": "An attacker could leverage an API to pass along a malicious file that could then manipulate the process creation command line in MDT AutoSave versions prior to v6.02.06 and run a command line argument. This could then be leveraged to run a malicious process."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77: Command Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-01T22:17:06", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-189-02"}], "solutions": [{"lang": "en", "value": "Updated versions of MDT AutoSave and AutoSave for System Platform (A4SP) were developed to address these vulnerabilities as follows:\nMDT AutoSave 6.x version: Version 6.02.06 (Released January 2021)\nMDT AutoSave 7.x version: Version 7.05 (Released December 2020)\nA4SP 4.x version: Version 4.01 (Released June 2021)\nA4SP 5.x version: Version 5.01 (Released May 2021)\n\nFor more information about these vulnerabilities, and to obtain and install the new versions, please contact MDT Software customer support."}], "source": {"discovery": "EXTERNAL"}, "title": "MDT AutoSave Command Injection", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2021-32933", "STATE": "PUBLIC", "TITLE": "MDT AutoSave Command Injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MDT AutoSave", "version": {"version_data": [{"version_affected": "<", "version_value": "6.02.06"}]}}, {"product_name": "MDT AutoSave", "version": {"version_data": [{"version_affected": "<", "version_name": "7.00", "version_value": "7.04"}]}}, {"product_name": "AutoSave for System Platform (A4SP)", "version": {"version_data": [{"version_affected": "<", "version_value": "4.01"}]}}, {"product_name": "A4SP", "version": {"version_data": [{"version_affected": "=", "version_value": "5.00"}]}}]}, "vendor_name": "MDT Software"}]}}, "credit": [{"lang": "eng", "value": "Amir Preminger of Claroty Research reported these vulnerabilities to MDT Software."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An attacker could leverage an API to pass along a malicious file that could then manipulate the process creation command line in MDT AutoSave versions prior to v6.02.06 and run a command line argument. This could then be leveraged to run a malicious process."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-77: Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-189-02", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-189-02"}]}, "solution": [{"lang": "en", "value": "Updated versions of MDT AutoSave and AutoSave for System Platform (A4SP) were developed to address these vulnerabilities as follows:\nMDT AutoSave 6.x version: Version 6.02.06 (Released January 2021)\nMDT AutoSave 7.x version: Version 7.05 (Released December 2020)\nA4SP 4.x version: Version 4.01 (Released June 2021)\nA4SP 5.x version: Version 5.01 (Released May 2021)\n\nFor more information about these vulnerabilities, and to obtain and install the new versions, please contact MDT Software customer support."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:33:56.231Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-189-02"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-32933", "datePublished": "2022-04-01T22:17:06", "dateReserved": "2021-05-13T00:00:00", "dateUpdated": "2024-08-03T23:33:56.231Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:auvesy-mdt:autosave:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F0612E0-E5EE-45B1-B49C-BD1296B9EACB", "versionEndExcluding": "6.02.06", "vulnerable": true}, {"criteria": "cpe:2.3:a:auvesy-mdt:autosave:*:*:*:*:*:*:*:*", "matchCriteriaId": "8450FA45-0C07-42D5-B817-AC990579D4F6", "versionEndIncluding": "7.04", "versionStartIncluding": "7.00", "vulnerable": true}, {"criteria": "cpe:2.3:a:auvesy-mdt:autosave_for_system_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "DDA02918-09D4-43B6-95E6-3023E3DEE57A", "versionEndExcluding": "4.01", "vulnerable": true}, {"criteria": "cpe:2.3:a:auvesy-mdt:autosave_for_system_platform:5.00:*:*:*:*:*:*:*", "matchCriteriaId": "682D5F51-4153-47C3-961C-6C5B4A124E3D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker could leverage an API to pass along a malicious file that could then manipulate the process creation command line in MDT AutoSave versions prior to v6.02.06 and run a command line argument. This could then be leveraged to run a malicious process."}, {"lang": "es", "value": "Un atacante podr\u00eda aprovechar una API para pasar un archivo malicioso que luego podr\u00eda manipular la l\u00ednea de comandos de creaci\u00f3n de procesos en MDT AutoSave versiones anteriores a v6.02.06 y ejecutar un argumento de l\u00ednea de comandos. Esto podr\u00eda ser aprovechado para ejecutar un proceso malicioso"}], "id": "CVE-2021-32933", "lastModified": "2022-10-25T19:36:59.693", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.8, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2022-04-01T23:15:09.487", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-189-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-77"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}